SlideShare a Scribd company logo

Gone in 60 minutes – Practical Approach to Hacking an Enterprise with Yasuo

Download as PPTX, PDF
S
saurabhharit

The document describes Yasuo, a tool written in Ruby that scans a network to identify vulnerable applications. It does this by checking for over 100 known vulnerable applications and exploits them if possible using Metasploit. The document discusses the need for such a tool, how Yasuo works behind the scenes, recent updates, a demo of Yasuo, challenges, and future plans for the tool. It ends by thanking the audience and requesting help improving Yasuo by submitting more application signatures.

Presentations & Public Speaking
1 of 33
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
A Practical Approach to Hacking an Enterprise with YASUO Saurabh Harit {@0xsauby} Stephen Hall {@_stephen_h}
root@msf:~$>getuid Saurabh Harit (@0xsauby) Director of Security Research @Security Compass Pentester i.e. Domain Admin at many companies Have a secret crush on reverse engineering Gym freak / Proud father of two beautiful dogs Stephen Hall (@_stephen_h) Security Consultant @Security Compass … … Owner of a Christmas hat
What this talk is not about No 0-days No Shells
Scenario You’re on a red-team engagement You’ve bypassed physical security You’ve bypassed NAC What next? How would you pwn the network? Vulnerability scanner?
The Problem Can’t use network vulnerability scanner Have to be Stealth & Quick Can’t use Google dorks (internal network) site, link, inurl
Where do $hells come from? It’s not about what, it’s about WHERE
Popular Vulnerable Apps Apache Tomcat
Popular Vulnerable Apps JBoss jmx-console
Popular Vulnerable Apps Hudson Jenkins
$hells
Not So Popular Vulnerable Apps ADManager Plus
Not So Popular Vulnerable Apps ADManager Plus
Not So Popular Vulnerable Apps Cyberoam UTM
Not So Popular Vulnerable Apps Cyberoam UTM
YASUO what??? Written in ruby Did not write it on our flight here Scans the network for vulnerable applications Currently supports around 100+ vulnerable applications All currently supported apps are Metasploit-able
Why Yasuo Because there are tons of vulnerable applications and its not easy to find them
World Without Automation Run nmap scan & manually poke each & every web port This CANNOT be fun
What’s currently out there Nikto by Chris Sullo https://www.cirt.net/Nikto2 Nmap script – http-enum.nse by Ron Bowes, Andrew Orr, Rob Nicholls http://nmap.org/nsedoc/scripts/http-enum.html Nmap script – http-default-accounts.nse by Paulino Calderon https://www.nmap.org/nmap-exp/ calderon/scripts/http-default-accounts.nse
Exploring Yasuo
Exploring Yasuo
What’s in the Box yasuo.rb resp200.rb default-path.csv users.txt pass.txt GPL
What’s in the Box
Behind the Scenes Detects false-positives Automatically extracts login form Automatically extracts login parameters
What’s New
RaNdOmIzAtIoN!!! More robust check to detect false positives Properly formatted output table More application signatures Signatures for IP Cameras / Encoder / Decoders Modular & Cleaned-up Code – if there is any such thing
Demo Time
Challenges Exploit-db – great resource but inconsistent format
Challenges Dynamic detection of login page and parameters is regex based.
Future Development Smarter version detection Support masscan output format (because y’all love to scan the Interwebs) Add support for more vulnerable applications, Ofcourse Add secondary signature Make current crappy code modular Add multi-threading Add support for vFeed??? Change format of default path file – CSV to YAML? or JSON?
CFH (cry for help) Signatures Signatures Signatures & Signatures Please submit application signatures: Post a comment on Github Update default path file on Github Drop us an Email Send a Pigeon.
Questions??? or not
Thank You! https://github.com/0xsauby/yasuo ✖ 0xsauby saurabh.harit@gmail.com _stephen_h perfectlylogical@gmail.com
Credit Nmap ruby library - https://github.com/sophsec/ruby-nmap The Exploit Database (EDB) - http://www.exploit-db.com/ @funkaoshi Google Image Cache

More Related Content

PDF
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
PDF
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
PDF
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
PDF
Red Team Methodology - A Naked Look
Jason Lang
 
PDF
Hunting for the secrets in a cloud forest
SecuRing
 
PPTX
Bsides chicago 2013 honeypots
Tazdrumm3r
 
PPTX
XXE: How to become a Jedi
Yaroslav Babin
 
PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
Red Team Methodology - A Naked Look
Jason Lang
 
Hunting for the secrets in a cloud forest
SecuRing
 
Bsides chicago 2013 honeypots
Tazdrumm3r
 
XXE: How to become a Jedi
Yaroslav Babin
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 

What's hot (19)

PPT
Malware Analysis Made Simple
Paul Melson
 
PPTX
Bug Bounty for - Beginners
Himanshu Kumar Das
 
PDF
Introduction to red team operations
Sunny Neo
 
PPTX
Bsides detroit 2013 honeypots
Tazdrumm3r
 
PPTX
Badneedles
dimisec
 
PPTX
Bug bounties - cén scéal?
Ciaran McNally
 
PDF
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
PDF
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
PDF
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Yan Cui
 
PDF
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
PDF
Hacking Web Apps by Brent White
EC-Council
 
PPTX
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
PDF
Applying principles of chaos engineering to serverless (CodeMesh)
Yan Cui
 
PDF
Internal Pentest: from z3r0 to h3r0
marcioalma
 
PDF
Understanding and hiding your operations
Daniel López Jiménez
 
PPT
Penetration testing, What’s this?
Dmitry Evteev
 
PDF
Audit
Mark Ellzey Thomas
 
PDF
SignaturesAreDead Long Live RESILIENT Signatures
Daniel Bohannon
 
PDF
Hunting for the secrets in a cloud forest
SecuRing
 
Malware Analysis Made Simple
Paul Melson
 
Bug Bounty for - Beginners
Himanshu Kumar Das
 
Introduction to red team operations
Sunny Neo
 
Bsides detroit 2013 honeypots
Tazdrumm3r
 
Badneedles
dimisec
 
Bug bounties - cén scéal?
Ciaran McNally
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Yan Cui
 
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
Hacking Web Apps by Brent White
EC-Council
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
Applying principles of chaos engineering to serverless (CodeMesh)
Yan Cui
 
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Understanding and hiding your operations
Daniel López Jiménez
 
Penetration testing, What’s this?
Dmitry Evteev
 
Audit
Mark Ellzey Thomas
 
SignaturesAreDead Long Live RESILIENT Signatures
Daniel Bohannon
 
Hunting for the secrets in a cloud forest
SecuRing
 

Similar to Gone in 60 minutes – Practical Approach to Hacking an Enterprise with Yasuo (20)

PDF
Different Methodology To Recon Your Targets
EslamAkl
 
PDF
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
PDF
Unmasking or De-Anonymizing You
E Hacking
 
PDF
Putting Rugged Into your DevOps Toolchain
James Wickett
 
PPTX
Static Code Analysis
Geneva, Switzerland
 
PPT
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin
 
PDF
Securing Rails
Alex Payne
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
DOCX
They need either one Manually easy or Hard1. Go to dnschecker..docx
randymartin91030
 
PDF
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPT
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
PDF
technical-information-gathering-slides.pdf
MarceloCunha571649
 
PDF
Shift Left Security
gjdevos
 
PDF
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
PPTX
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
PDF
NPTs
Brandon Levene
 
PPTX
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
PDF
Super1
neelakanteswarreddy
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Different Methodology To Recon Your Targets
EslamAkl
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
Unmasking or De-Anonymizing You
E Hacking
 
Putting Rugged Into your DevOps Toolchain
James Wickett
 
Static Code Analysis
Geneva, Switzerland
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin
 
Securing Rails
Alex Payne
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
They need either one Manually easy or Hard1. Go to dnschecker..docx
randymartin91030
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
Threat Hunting with Splunk
Splunk
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
technical-information-gathering-slides.pdf
MarceloCunha571649
 
Shift Left Security
gjdevos
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
NPTs
Brandon Levene
 
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Super1
neelakanteswarreddy
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 

Recently uploaded (20)

PDF
Why Top Brands Trust Enuncia Global for Language Solutions.pdf
enuncia-global
 
PDF
Instagram's Product Secrets Unveiled with this PPT
mainikunal09
 
PPTX
worship songs, in any order, compilation
wilmalenetoledo
 
PPTX
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
PPTX
Self management and self evaluation presentation
NikkySharma5
 
PPTX
Impressionism_PostImpressionism_Presentation.pptx
PrincessJazminAligan
 
PPTX
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
PPTX
AcademyNaturalLanguageProcessing-EN-ILT-M02-Introduction.pptx
nguyenhung549091
 
PPTX
Effective_Handling_Information_Presentation.pptx
HarisKaimKhani
 
PPTX
Learning-Plan-5-Policies-and-Practices.pptx
judekimwellnombre15
 
PPTX
Primary and secondary sources, and history
valenciamarcchristia
 
PPTX
Presentation for DGJV QMS (PQP)_12.03.2025.pptx
M. Alper SAHIN
 
DOCX
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Myplanningtemplates
 
PPTX
2025-08-10 Joseph 02 (shared slides).pptx
Dale Wells
 
PDF
Nykaa-Strategy-Case-Fixing-Retention-UX-and-D2C-Engagement (1).pdf
VaibhavBansal926958
 
PPTX
Project and change Managment: short video sequences for IBA
safwanhossain11
 
PPTX
_ISO_Presentation_ISO 9001 and 45001.pptx
nadianisar5
 
PPTX
Relationship Management Presentation In Banking.pptx
ssuser1d0512
 
PPTX
Tour Presentation Educational Activity.pptx
PaulineAngeliqueBere
 
PPTX
Introduction to Effective Communication.pptx
AnithaT18
 
Why Top Brands Trust Enuncia Global for Language Solutions.pdf
enuncia-global
 
Instagram's Product Secrets Unveiled with this PPT
mainikunal09
 
worship songs, in any order, compilation
wilmalenetoledo
 
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
Self management and self evaluation presentation
NikkySharma5
 
Impressionism_PostImpressionism_Presentation.pptx
PrincessJazminAligan
 
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
AcademyNaturalLanguageProcessing-EN-ILT-M02-Introduction.pptx
nguyenhung549091
 
Effective_Handling_Information_Presentation.pptx
HarisKaimKhani
 
Learning-Plan-5-Policies-and-Practices.pptx
judekimwellnombre15
 
Primary and secondary sources, and history
valenciamarcchristia
 
Presentation for DGJV QMS (PQP)_12.03.2025.pptx
M. Alper SAHIN
 
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Myplanningtemplates
 
2025-08-10 Joseph 02 (shared slides).pptx
Dale Wells
 
Nykaa-Strategy-Case-Fixing-Retention-UX-and-D2C-Engagement (1).pdf
VaibhavBansal926958
 
Project and change Managment: short video sequences for IBA
safwanhossain11
 
_ISO_Presentation_ISO 9001 and 45001.pptx
nadianisar5
 
Relationship Management Presentation In Banking.pptx
ssuser1d0512
 
Tour Presentation Educational Activity.pptx
PaulineAngeliqueBere
 
Introduction to Effective Communication.pptx
AnithaT18
 

Gone in 60 minutes – Practical Approach to Hacking an Enterprise with Yasuo

  • 1. A Practical Approach to Hacking an Enterprise with YASUO Saurabh Harit {@0xsauby} Stephen Hall {@_stephen_h}
  • 2. root@msf:~$>getuid Saurabh Harit (@0xsauby) Director of Security Research @Security Compass Pentester i.e. Domain Admin at many companies Have a secret crush on reverse engineering Gym freak / Proud father of two beautiful dogs Stephen Hall (@_stephen_h) Security Consultant @Security Compass … … Owner of a Christmas hat
  • 3. What this talk is not about No 0-days No Shells
  • 4. Scenario You’re on a red-team engagement You’ve bypassed physical security You’ve bypassed NAC What next? How would you pwn the network? Vulnerability scanner?
  • 5. The Problem Can’t use network vulnerability scanner Have to be Stealth & Quick Can’t use Google dorks (internal network) site, link, inurl
  • 6. Where do $hells come from? It’s not about what, it’s about WHERE
  • 7. Popular Vulnerable Apps Apache Tomcat
  • 8. Popular Vulnerable Apps JBoss jmx-console
  • 9. Popular Vulnerable Apps Hudson Jenkins
  • 11. Not So Popular Vulnerable Apps ADManager Plus
  • 12. Not So Popular Vulnerable Apps ADManager Plus
  • 13. Not So Popular Vulnerable Apps Cyberoam UTM
  • 14. Not So Popular Vulnerable Apps Cyberoam UTM
  • 15. YASUO what??? Written in ruby Did not write it on our flight here Scans the network for vulnerable applications Currently supports around 100+ vulnerable applications All currently supported apps are Metasploit-able
  • 16. Why Yasuo Because there are tons of vulnerable applications and its not easy to find them
  • 17. World Without Automation Run nmap scan & manually poke each & every web port This CANNOT be fun
  • 18. What’s currently out there Nikto by Chris Sullo https://www.cirt.net/Nikto2 Nmap script – http-enum.nse by Ron Bowes, Andrew Orr, Rob Nicholls http://nmap.org/nsedoc/scripts/http-enum.html Nmap script – http-default-accounts.nse by Paulino Calderon https://www.nmap.org/nmap-exp/ calderon/scripts/http-default-accounts.nse
  • 21. What’s in the Box yasuo.rb resp200.rb default-path.csv users.txt pass.txt GPL
  • 23. Behind the Scenes Detects false-positives Automatically extracts login form Automatically extracts login parameters
  • 25. RaNdOmIzAtIoN!!! More robust check to detect false positives Properly formatted output table More application signatures Signatures for IP Cameras / Encoder / Decoders Modular & Cleaned-up Code – if there is any such thing
  • 27. Challenges Exploit-db – great resource but inconsistent format
  • 28. Challenges Dynamic detection of login page and parameters is regex based.
  • 29. Future Development Smarter version detection Support masscan output format (because y’all love to scan the Interwebs) Add support for more vulnerable applications, Ofcourse Add secondary signature Make current crappy code modular Add multi-threading Add support for vFeed??? Change format of default path file – CSV to YAML? or JSON?
  • 30. CFH (cry for help) Signatures Signatures Signatures & Signatures Please submit application signatures: Post a comment on Github Update default path file on Github Drop us an Email Send a Pigeon.
  • 32. Thank You! https://github.com/0xsauby/yasuo ✖ 0xsauby saurabh.harit@gmail.com _stephen_h perfectlylogical@gmail.com
  • 33. Credit Nmap ruby library - https://github.com/sophsec/ruby-nmap The Exploit Database (EDB) - http://www.exploit-db.com/ @funkaoshi Google Image Cache